Additional Configuration for Azure AD Single Sign-On for WordPress

Overview

Once the Azure AD SSO for WordPress has been configured, you can proceed with some additional configuration steps to make the most out of Single Sign-On for WordPress. This includes steps for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout, and more.

1. Attribute Mapping

• In the Service Provider Setup tab, after metadata exchange click on Test Connection.
• After performing SSO, the default attributes will be sent from Azure AD and will be available for Attribute Mapping.
• There are certain default attributes that are sent from the Azure AD side for every connection that are listed in the table.

Adding extra Attributes on the Azure AD Side:

• Go to Attributes & Claims and click on the Edit button.

• Under the Manage Claim tab, fill all the required fields Name, Namespace, and Source attributes.
• Then, click on Save.

• Navigate to the Service Provider Setup tab, there click on Test Connection.
• A popup window will appear. If your connection is successful then the list of attributes mapped and the custom attribute will be displayed.

2. Configure Advanced & Custom Attribute Mapping

• This feature allows you to create custom attributes that can be mapped with any of the attributes sent by the Azure AD. This is stored in user meta table in WordPress database.
• Write your custom attribute name in the Custom Attribute Name input box, select the attribute from IDP using the dropdown in the Attribute Name from IDP field.
• To display this custom attribute in the users menu table in WordPress, enable the Display Attribute toggle.

• You can add new attributes using the Add Attribute button.
• And then, click on Save button to save the configurations.

3. Role Mapping

• The Attribute Mapping section also provides mapping for fields named Group/Role.
• This attribute will contain the role-related information sent by the Identity Provider (i.e, Azure AD).
• The roles are allocated to specific users on the bases of their roles/groups at the time of login.
• The value of this attribute which is mapped to Group/Role will be considered in the Role Mapping section.

• Values of selected Group/Roles of respective users can be placed in the input box of different default Roles which have to be assigned to the respective user.

Role / Group Mapping on the Azure AD:

• By default, the User group will be sent in the SAML response. You can edit it under the Attribute tab.
• For adding a new group, click on the Add a group claim.

• In Group Claims, you can select the group as well as the source attribute to send in SAML response.

4. Single Logout

• For configuring Single Logout, scroll down to the logout URL in the Single Sign On tab.

• And, enter the Single Logout URL from the Service Provider Metadata tab in the plugin.

4. Signed SSO Requests

• For Signed SSO Requests, enable the Sign SSO & SLO Requests toggle in the Service Provider Setup tab in the plugin.

• Download the SP Certificate from the Service Provider Metadata tab.

• Now, navigate to the Azure AD platform.
• To allow the signed request and its verification click on the edit button in Verification certificates.

• Then, check both Require verification certificate and Allow request signed options.

• Click on the upload certificate and select .cer formatted file.
• In case if you have a .crt formatted file follow the process mentioned below.
• Open the certificate file downloaded from the Service Provider side.
• Go to the Details tab, and click the Copy to file button.



• Select the Base-64 encoded X.609 option and click on Next.



• Then, enter a filename and click on the Next button.



• And then, click on the OK button to save the Certificate.

Conclusion

Setting up additional configuration for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout along with SSO allows you to maximize efficiency and user identity management from your IDP to your WordPress site.